All Versions
114
Latest Version
Avg Release Cycle
49 days
Latest Release
18 days ago

Changelog History
Page 1

  • v4.7.2

    November 25, 2019
    • βž• Add request.params as query parameters (#1398)
    • πŸ– Handle more permit! cases (#1426)
    • βœ‚ Remove version guard for named_scope vs. scope
    • Find SQL injection in String#strip_heredoc target (#1433)
    • Ensure file name is set when processing models
    • πŸ“œ Bundle ruby_parser version 3.14.1 (#1429)
  • v4.7.1

    October 29, 2019
    • Sort text report by file and line (Jacob Evelyn)
    • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
    • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
    • Check string length against limit before joining
    • πŸ›  Fix flaky rails4 test (Adam Kiczula)
    • πŸ›  Fix errors from frozen Symbol#to_s in Ruby 2.7
    • βž• Add release dates to each version in CHANGES (TheSpartan1980)
  • v4.7.0

    October 16, 2019
    • ⚑️ Update Haml support to Haml 5.x (#1044)
    • Catch shell injection from -c shell commands (Jacob Evelyn)
    • Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
    • ♻️ Refactor Brakeman::Differ#second_pass (Benoit CΓ΄tΓ©-Jodoin)
    • πŸ›  Fix version_between? (Andrey Glushkov)
    • Ignore interpolation in %W[] (#1399)
    • Ignore form_for for XSS check
  • v4.6.1

    July 24, 2019
  • v4.6.0

    July 24, 2019
    • βž• Add check for cookie serialization with Marshal (#1316)
    • βž• Add reverse tabnabbing check (Linos Giannopoulos)
    • ⚠ Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
    • ⚑️ Update loofah version for fixing CVE-2018-8048 (Markus NΓΆlle)
    • πŸ‘ Warn people that Haml 5 is not fully supported (Jared Beck)
    • Index calls in initializers
    • πŸ‘Œ Improve template output handling in conditional branches
    • Avoid assigning nil line numbers to Sexps
    • βž• Add special warning code for custom checks
    • βž• Add call matching by regular expression
    • Skip calls to dup (#1374)
    • βͺ Restore Warning#relative_path
    • πŸ‘ Better handling of gems with no version declared
  • v4.5.1

    May 11, 2019
    • βž• Add initial Rails 6 support
    • βž• Add optional check for config.force_ssl (#1181)
    • βž• Add deserialization warning for Oj.load/object_load
    • Add SQL injection checks for destroy_by/delete_by
    • Add SQL injection checks for find_or_create_by and friends
    • Check link_to with block for href XSS (#1339)
    • Convert !! calls to boolean value (#1343)
    • Use relative paths for __FILE__
    • Represent file paths internally as Brakeman::FilePath
    • πŸ– Handle empty partial names
    • πŸ– Handle trailing comma in block args
    • βœ‚ Remove code for Ruby versions prior to 1.9
  • v4.5.0

    March 16, 2019
    • πŸ’Ž Officially drop support for running with older Ruby versions
    • More thoroughly handle Shellwords escaping (#1323)
    • πŸ– Handle non-integer version number comparisons (#1305)
    • πŸ‘ Better handling of splat/kwsplat arguments (#1204)
    • πŸ– Handle ** inside Hash literals
    • βž• Add support for CoffeeScript in Slim templates
    • πŸ‘Œ Improve support for embedded template "filters"
    • βœ‚ Remove Sass dependency
    • Avoid joining strings with different encodings
    • πŸ‘Œ Improve "user input" reported for SQL injection
    • Stop swallowing exceptions in AliasProcessor
    • βž• Add original exception to Tracker#errors list
    • πŸ“œ Use FileParser in Scanner to parse files
    • Set location information in CheckContentTag
    • ⚑️ Update RubyParser to 3.13.0
  • v4.4.0

    January 17, 2019
    • βž• Add check for CVE-2018-3760
    • βž• Add --enable option to enable optional checks
    • βž• Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
    • πŸ– Handle empty secrets.yml files (Naoki Kimura)
    • ⚠ Ignore Tempfiles in FileAccess warnings (Christina Koller)
    • ⚠ Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
    • Treat if not like unless (#1225)
    • πŸ›  Fix Rails 4 configuration handling
    • 0️⃣ Set default encoding to UTF-8
    • πŸ‘Œ Support reading gem versions from gemspecs
    • πŸ‘Œ Support gem versions which are just major.minor (e.g. 3.0)
    • Correctly set rel="noreferrer" in HTML reports
    • πŸ›  Fix thread-safety issue in CallIndex
    • πŸ›  Fix trim mode for ERb templates in old Rails versions
    • Avoid nil errors when concatenating arrays
    • βž• Add rendered template information to render paths
    • Trim some unnecessary files from bundled gems
    • πŸ›  Deadcode and typo fixes found via Coverity
    • ⚠ Complete overhaul of warning message construction
    • ⚑️ Update to Slim 4.0.1 (Jake Peterson)
    • ⚑️ Update to RubyParser 3.12.0
    • ⚑️ Updated license
  • v4.3.1

    June 07, 2018
    • Add :BRAKEMAN_SAFE_LITERAL to represent known-safe literals
    • πŸ– Handle Array#map and Array#each over literal arrays (#1208 / #1224)
    • πŸ‘‰ Use safe literal when accessing literal hash with unknown key (#1213)
    • πŸ‘ Allow symbolize_keys to be called on params in SQL (Jacob Evelyn)
    • πŸ‘Œ Improve handling of conditionals in shell commands (Jacob Evelyn)
    • πŸ—„ Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
    • Ignore Object#freeze, use the target instead (#1211)
    • Ignore foreign_key calls in SQL (#1202)
    • πŸ– Handle included calls outside of classes/modules (#1209)
    • πŸ›  Fix error when setting line number in implicit renders (#1210)
  • v4.3.0

    May 11, 2018
    • βž• Add --parser-timeout option
    • πŸ‘Œ Improve timeout error messages
    • Check exec-type calls even if they are targets (#1199)
    • Index Kernel#` calls even if they are targets (#1183)
    • BaseCheck#include_interp? should return first string interpolation (#1189)
    • Ignore Process.pid in system calls
    • Warn about dangerous link_to href with sanitize() (#1187)
    • Ignore params#to_h and params#to_hash in SQL checks (#1180)
    • Convert Array#join to string interpolation (#1179)
    • πŸ”„ Change "".freeze to just "" (#1182)
    • --color can be used to force color output (#1175)
    • Track parent calls in call index
    • πŸ›  Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
    • Code Climate: omit leading dot from only_files (Todd Mazierski)